Bugtraq mailing list archives
Re: Request for discussion.
From: newsham () aloha net (Timothy Newsham)
Date: Mon, 6 Feb 1995 15:03:13 -1000 (HST)
== - collect suid programs into common directory, or perhaps == a seperate directory for uid/gid. (both in src and bin form). == rationale: Increase awareness of security critical programs. == Make it easier to check all suid programs at once. difficult for administration, particularly when patching or updating a package akin to smail. suggestion: run find with a -exec sum option. collect and store in a truly safe place (e.g. a floppy disk). set up cron to run a comparison job (e.g. run find for suid/sgid, perform sum, mount floppy,then compare). perhaps link suid/sgid binaries to a common, *hidden* directory for easy reference? use soft links to avoid easy detection.
You are addressing my post as if these were things I'd like done to a single machine. Rather this is my wishlist for "the way I'd like to see things done". When I say seperate suids I mean I'd like the default suid binaries to all be in one directory, and their sources in another. I think "real" systems will always have a /usr/local that doesn't quite follow the same layout as their base system.
== - database of priveledged programs and dependencies. Ie config == files, temp files, directories, databases, etc. == rationale: Keep track of assumptions in security critical programs. == Avoid holes that arise out of changing an assumption (example == making utmp world readable). Make it easier for automated == checks (ie. world writeable directories like preserve and == msgs). i like this. in fact, i stress such things when i perform security audits. caveat: do *NOT* store this database on-line. perhaps set up a secure, stand-alone machine (be cheesy: ifconfig down) for storage of security info.
I think making this public knowledge will give the best results in the end. If this was a setup for a single system or group of systems then hiding any security auditing you've done might be a good idea.
== - system list of users allowed to use suid and sgid. Suid == binaries not run if file owner not allowed to use suid/sgid. == rationale: reduce the ability to store priveledge on a filesystem. users would not be able to send mail. users would not be able to rlogin/remsh. this is too sweeping a gesture, although the intent is good. suggestion: write wrapper binaries around the suid/sgid commands. log activity. makes a nice complement to some of the daemon wrappers.
Ugh. I didn't state this clearly. Please read my response posted to usenet.
very good thoughts. enjoy good horror stories? read the Morris and Bellovin papers. the idea above needs no more support than that.
read them quite a while ago.
o robert owen thomas: Unix consultant. MAILER-DAEMON. user scratching post. o
Current thread:
- Re: Request for discussion. robert owen thomas (Feb 06)
- Re: Request for discussion. Timothy Newsham (Feb 06)
- <Possible follow-ups>
- Re: Request for discussion. Timothy Newsham (Feb 06)
- Re: Request for discussion. Karl Strickland (Feb 06)
- Re: Request for discussion. Timothy Newsham (Feb 06)
- Re: Request for discussion. Karl Strickland (Feb 06)
- Re: Request for discussion. Casper Dik (Feb 07)
- Re: Request for discussion. Timothy Newsham (Feb 07)
- Possible backdoor in ftpd? James Seng (Feb 07)
- Re: Request for discussion. Karl Strickland (Feb 06)
- Re: Request for discussion. Stephen D. Williams (Feb 07)